Re: Command Injection Vulnerability in stat.qwest.net - OFFTOPIC

["Kurt Seifried" <listuser () seifried org>]

Why are you telling us this? How does it affect anyone, but qwest, who you
notified, and who fixed it. Do we now send out a security advisory every
time we notify sometime to disable a vulnerable service (sir, you have
telnet enabled). This is getting ridiculous.

Kurt Seifried, kurt () seifried org
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://seifried.org/security/


----- Original Message ----- 
From: "Dan Daggett" <csiwebmaster () csi edu>
To: "Full-Disclosure" <full-disclosure () lists netsys com>
Sent: Thursday, August 21, 2003 5:09 PM
Subject: [Full-disclosure] Command Injection Vulnerability in stat.qwest.net


> [Vulnerable Site]
>
> http://stat.qwest.net
>
>
> [Site Purpose]
>
> Site can be used by network administrators and engineers to test network
> connectivity, view Qwest's backbones, and test latency across Qwest's
> network.
>
>
> [Vulnerable Page]
>
> http://stat.qwest.net/cgi-bin/jlg-new.pl
>
> This page can be accessed through
> http://stat.qwest.net/looking_glass.html
>
>
> [Page Purpose]
>
> Run ping and traceroute from various routers/computers in many locations
> across Qwest's network, including North America and Asia.
>
>
> [Command Injection]
>
> While running a ping on a site that wasn't up, the error message made me
> realize that the perl script was shelling out a command to a remote
> system and tacking my input into it.
>
> For example in the dropdown box pick any router and select ping or
> traceroute.  In this case I selected ping.  Type in a nonexistent site
> such as nositehere.nope.  Here is what was returned in the page.
>
> /usr/sbin/ping: unknown host nositehere.nope
>
> My next thought was whether or not proper checking had been done to
> avoid escaping the command and running my own code.  This time I used a
> semicolon to add my own commands on to the end: nositehere.nope;id;uname
> -a;  I put the ending semicolon on in case there was additional
> parameters added to the ping command.  Here is the result.
>
> Pinging nositehere.nope;id; from atl-engr-01.inet.qwest.net
>
> uid=60001(nobody) gid=60001(nobody)
>
>
> [Problem Fix]
>
> The vulnerability here lies in the fact that unfiltered user input is
> passed by the Perl script directly to the command line.  Something as
> simple as verifying that only certain characters will be passed to the
> command prompt would prevent this.
>
> For example this would drop any characters that were not alphanumberic,
> dash, underscore, and a period.
>
> $user_input  =~ s/[^A-Za-z0-9_-.]//g;
>
>
> [Vendor Contact]
>
> Sent email to security () qwest net on August 19th.
>
> Problem fixed August 21, 2003
>
>
> [Contact Info]
>
> Report can be viewed online
> http://www.socialgeeks.com/advisories/qwest_aug_21_2003.php
>
> Submitted to list on August 21, 2003 by Dan Daggett
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html